What are common types of security attacks?

Question

Accepted Answer

Understanding common **attack types** — how attackers try to compromise systems — is foundational to defending against them. Major categories include injection, XSS, CSRF, brute force, social engineering, DDoS, and more.

## Web application attacks

```text
INJECTION (SQL, command, etc.) → inject malicious code via input (manipulate queries/commands)
XSS (Cross-Site Scripting) → inject scripts that run in victims' browsers
CSRF (Cross-Site Request Forgery) → trick a logged-in user's browser into making unwanted
  requests (perform actions as them without consent)
BROKEN ACCESS CONTROL → access/modify what you're not authorized to (e.g. IDOR)
SSRF → trick the server into making requests it shouldn't
```

## Authentication / access attacks

```text
BRUTE FORCE → try many passwords/keys until one works (rate-limit, lock out, MFA)
CREDENTIAL STUFFING → use leaked username/password pairs from other breaches
SESSION HIJACKING → steal session tokens/cookies to impersonate a user
PHISHING / SOCIAL ENGINEERING → trick people into revealing credentials/info (the human
  is often the weakest link)
```

## Other attacks

```text
DDoS (Distributed Denial of Service) → flood a system to make it unavailable
MAN-IN-THE-MIDDLE (MITM) → intercept communication (HTTPS prevents this)
MALWARE / ransomware; SUPPLY CHAIN attacks (compromise dependencies/build tools)
ZERO-DAY → exploit unknown/unpatched vulnerabilities
```

## Why it matters

Understanding common types of security attacks is foundational because **you can't defend against threats you don't understand**, so knowing how attackers operate is essential for building secure systems, making this important security knowledge.

Awareness of attack types — how attackers try to compromise systems — is the foundation of defense, since each attack type has corresponding defenses, and understanding the threats motivates and guides protective measures.

Understanding the **web application attacks** — **injection** (manipulating queries/commands via input), **XSS** (scripts running in victims' browsers), **CSRF** (tricking a logged-in user's browser into unwanted requests), **broken access control** (accessing unauthorized resources), and **SSRF** — covers the most common application-level threats developers must defend against.

Understanding **authentication/access attacks** — **brute force** (trying many passwords, countered by rate-limiting and MFA), **credential stuffing** (using leaked credentials), **session hijacking** (stealing tokens), and **phishing/social engineering** (tricking people, since the human is often the weakest link) — covers how attackers target access.

Understanding **other attacks** — **DDoS** (flooding to cause unavailability), **man-in-the-middle** (intercepting communication, prevented by HTTPS), malware, **supply chain attacks** (compromising dependencies — increasingly important), and zero-days — broadens awareness of the threat landscape.

Knowing these attack types enables developers to recognize threats, understand why specific defenses exist (parameterized queries against injection, escaping against XSS, MFA against brute force, HTTPS against MITM), and build appropriate protections.

Since defending against threats requires understanding them and each common attack type has corresponding defenses, and since awareness of the major attacks (injection, XSS, CSRF, brute force, phishing, DDoS, supply chain) is foundational to building secure systems, understanding common security attacks is foundational, essential security knowledge — the threat awareness that underlies all defensive security, necessary for recognizing threats and understanding why security measures exist, and a baseline for any developer building systems that must resist the constant, varied attacks software faces.